From 6b7eabdd41f83033484f3751800a357f523d8bae Mon Sep 17 00:00:00 2001
From: Tomofumi Hayashi <tohayash@redhat.com>
Date: Thu, 19 Oct 2023 02:02:08 +0900
Subject: [PATCH] Update cipher for security hardenings

---
 cmd/webhook/main.go         | 6 ++++++
 deployments/deployment.yaml | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
index c1cc7c05..d11e376f 100644
--- a/cmd/webhook/main.go
+++ b/cmd/webhook/main.go
@@ -92,6 +92,12 @@ func main() {
 			Addr: fmt.Sprintf("%s:%d", *address, *port),
 			TLSConfig: &tls.Config{
 				GetCertificate: keyPair.GetCertificateFunc(),
+				MinVersion: tls.VersionTLS12,
+				CipherSuites: []uint16{
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+				},
 			},
 		}
 
diff --git a/deployments/deployment.yaml b/deployments/deployment.yaml
index 4c40133c..307a5d37 100644
--- a/deployments/deployment.yaml
+++ b/deployments/deployment.yaml
@@ -48,7 +48,7 @@ spec:
         args:
         - --logtostderr
         - --secure-listen-address=0.0.0.0:8443
-        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+        - --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
         - --upstream=http://127.0.0.1:9091/
         - --tls-private-key-file=/etc/webhook/key.pem
         - --tls-cert-file=/etc/webhook/cert.pem